Red Hat Summit Red Hat Summitサポートコンソール開発者トライアルの開始お問い合わせ

このコンテンツは選択した言語では利用できません。

Quick Start Guide

Red Hat Trusted Profile Analyzer 2

Using the Red Hat Trusted Profile Analyzer managed service on Red Hat Hybrid Cloud Console

Red Hat Trusted Documentation Team

Abstract

This Quick Start Guide gives users the essential information to start using the Red Hat Trusted Profile Analyzer managed service on Red Hat Hybrid Cloud Console.

Preface
リンクのコピー

Welcome to the Red Hat Trusted Profile Analyzer (RHTPA) Quick Start Guide!

This is a quick start guide on how to use the Trusted Profile Analyzer managed service on the Red Hat Hybrid Cloud Console.

Chapter 1. Searching for vulnerability information
リンクのコピー

You can use the Trusted Profile Analyzer managed service to find existing Software Bill of Materials (SBOM) documents, Vulnerability Exploitability eXchange (VEX) documents, license information, and common vulnerability and exposure (CVE) information, along advisory information for Red Hat products and software packages.

Important

Trusted Profile Analyzer managed service provides only information for the following Red Hat products:

  • Red Hat Enterprise Linux Universal Base Image (UBI) versions 8 and 9.
  • The Java Quarkus library.

Prerequisites

  • A Red Hat user account to access the Red Hat Hybrid Cloud Console.

Procedure

  1. Open a web browser.
  2. Go to the Application Services home page on the Hybrid Cloud Console.
  3. If prompted, log in to the Hybrid Cloud Console with your credentials.
  4. On the navigation menu, click Trusted Profile Analyzer.
  5. A new web browser window opens to the Trusted Profile Analyzer console home page. From the Trusted Profile Analyzer home page, on the navigational menu, click Search.
  6. Enter your search criteria into the dialog box to begin your search.

  7. On the search results page, you can filter the results by Red Hat products, download SBOM files, view package vulnerability and advisory information, along with any possible remediations.

    Note

    The number shown on the Advisories tab is how many times your search criteria made a match.

Chapter 2. Scanning a software bill of materials file
リンクのコピー

You can scan software bill of materials (SBOM) documents using the Red Hat Trusted Profile Analyzer service on Hybrid Cloud Console or your own {acronym} instance. The Trusted Profile Analyzer service can analyze a standard SBOM, Artificial Intelligence Bill of Materials (AIBOM) containing language models, and Cryptographic Bill of Materials (CBOM) containing keys, certificates, and libraries.

Important

Red Hat does not retain a copy of your scanned SBOM documents.

Prerequisites

  • A Red Hat user account to access the Red Hat Hybrid Cloud Console.
  • An existing CycloneDX 1.3, 1.4, 1.5, 1.6 or Software Package Data Exchange (SPDX) 2.2, 2.3 document files.

Procedure

  1. Open a web browser.
  2. Go to the Application Services home page on the Hybrid Cloud Console.
  3. If prompted, log in to the Hybrid Cloud Console with your credentials.
  4. On the navigation menu, click Trusted Profile Analyzer.
  5. A new web browser window opens to the Trusted Profile Analyzer console home page.
  6. Click SBOMs from the navigation menu.
  7. Click the Generate vulnerability report button.
  8. You can drag and drop your SBOM file directly to this page, or click the Browse Files button, then choose the SBOM file you want to scan.
  9. After {acronym} scans the SBOM file, you get a summary of the analysis, and any specific vulnerability information for the packages included in your SBOM file.

Chapter 3. Configuring Visual Studio Code to use Dependency Analytics
リンクのコピー

You can gain access to Red Hat’s Trusted Profile Analyzer (RHTPA) service by using the Dependency Analytics extension for Microsoft’s Visual Studio Code application. With this extension you get access to the latest open source vulnerability information, and insights about your application’s dependent packages.

Dependency Analytics supports the analysis of Dockerfiles, and the following package managers:

  • Maven

  • Gradle

    • Groovy DSL
    • Kotlin DSL
  • NPM
  • PNPM

  • Yarn

    • Berry
    • Classic
  • Python PIP
  • Go mod
Important

Visual Studio Code by default, executes binaries directly in a terminal found in your system’s PATH environment. You can configure Visual Studio Code to look somewhere else to run the necessary binaries. You can configure this by accessing the extension settings. Click the Workspace tab, search for the word executable, and specify the absolute path to the binary file you want to use for Maven, Node, Python, or Go.

Note

The Dependency Analytics extension is an online service maintained by Red Hat. Dependency Analytics only accesses your manifest files to analyze your application dependencies before displaying the results.

Prerequisites

  • Install Visual Studio Code on your workstation.
  • For Dockerfiles, the syft binary must be in your system’s PATH environment.
  • For Maven projects, analyzing a pom.xml file, you must have the mvn binary in your system’s PATH environment.
  • For NPM projects, analyzing a package.json file, you must have the npm binary in your system’s PATH environment.
  • For Go projects, analyzing a go.mod file, you must have the go binary in your system’s PATH environment.
  • For Python projects, analyzing a requirements.txt file, you must have the python3/pip3 or python/pip binaries in your system’s PATH environment. Also, the Python application needs to be in VS Code’s interpreter path.
  • For Gradle projects, analyzing a build.gradle file for Groovy DSL, or a build.gradle.kts file for Kotlin DSL.

Procedure

  1. Open the Visual Studio Code application.
  2. From the file menu, click View, and click Extensions.
  3. Search the Marketplace for Red Hat Dependency Analytics.
  4. Click the Install button to install the extension. Wait for the installation to finish.

  5. To start scanning your application for security vulnerabilities, and view the vulnerability report, you can do one of the following:

    • Open a manifest file, hover over a dependency marked by the inline Component Analysis, indicated by the wavy-red line under a dependency name, click Quick Fix, and click Detailed Vulnerability Report.
    • Open a manifest file, and click the pie chart icon.
    • Right click the manifest file in the Explorer view, and click Red Hat Dependency Analytics Report…​.
    • From the vulnerability pop-up alert message, click Open detailed vulnerability report.

  6. If you want to exclude specific packages for analysis, you can use the exhortignore as a comment tag for your specific programming language.

    • For Maven, update the pom.xml file: 

      ...
<dependency> <!--exhortignore-->
  <groupId>...</groupId>
  <artifactId>...</artifactId>
  <version>...</version>
</dependency>
...
      Copy to Clipboard Toggle word wrap

    • For Go, update the go.mod file: 

      module github.com/trustify-da/SaaSi/deployer

go 1.19

require (
        github.com/davecgh/go-spew v1.1.1 // indirect exhortignore
        github.com/emicklei/go-restful/v3 v3.9.0 // indirect
        github.com/go-logr/logr v1.2.3 // indirect //exhortignore

)
...
      Copy to Clipboard Toggle word wrap

    • For Python, update the requirements.txt file: 

      ...
click==8.0.4 #exhortignore
...
      Copy to Clipboard Toggle word wrap

    • For Gradle, update the build.gradle file: 

      plugins {
id 'java'
}

group = 'groupName'
version = 'version'

repositories {
    mavenCentral()
}

dependencies {
    implementation "groupId:artifactId:version" // exhortignore
}
test {
    useJUnitPlatform()
}
      Copy to Clipboard Toggle word wrap

Chapter 4. Configuring IntelliJ to use Dependency Analytics
リンクのコピー

You can gain access to Red Hat’s Trusted Profile Analyzer service by using the Dependency Analytics plugin for Jet Brains' IntelliJ IDEA application. This plugin gives you access to the latest open source vulnerability information, and insights about your application’s dependent packages.

Dependency Analytics supports the analysis of Dockerfiles, and the following package managers:

  • Maven

  • Gradle

    • Groovy DSL
    • Kotlin DSL
  • NPM
  • PNPM

  • Yarn

    • Berry
    • Classic
  • Python PIP
  • Go mod
Note

The Dependency Analytics extension is an online service maintained by Red Hat. Dependency Analytics only accesses your manifest files to analyze your application dependencies before displaying the results.

Prerequisites

  • Install IntelliJ IDEA on your workstation.
  • For Dockerfiles, the syft binary must be in your system’s PATH environment.
  • For Maven projects, analyzing a pom.xml file, you must have the mvn binary in your system’s PATH environment.
  • For Node projects, analyzing a package.json file, you must have the npm binary in your system’s PATH environment.
  • For Go projects, analyzing a go.mod file, you must have the go binary in your system’s PATH environment.
  • For Python projects, analyzing a requirements.txt file, you must have the python3/pip3 or python/pip binaries in your system’s PATH environment.
  • For Gradle projects, analyzing a build.gradle file for Groovy DSL, or a build.gradle.kts file for Kotlin DSL.

Procedure

  1. Open the IntelliJ application.
  2. From the file menu, click Settings , and click Plugins.
  3. Search the Marketplace for Red Hat Dependency Analytics.
  4. Click the INSTALL button to install the plugin.

  5. To start scanning your application for security vulnerabilities, and view the vulnerability report, you can do one of the following:

    • Open a manifest file, hover over a dependency marked by the inline Component Analysis, indicated by the wavy-red line under a dependency, and click Detailed Vulnerability Report.
    • Right click the manifest file in the Project window, and click Dependency Analytics Report.

  6. If you want to exclude specific packages for analysis, you can use the exhortignore as a comment tag for your specific programming language.

    • For Maven, update the pom.xml file: 

      ...
<dependency> <!--exhortignore-->
  <groupId>...</groupId>
  <artifactId>...</artifactId>
  <version>...</version>
</dependency>
...
      Copy to Clipboard Toggle word wrap

    • For Go, update the go.mod file: 

      module github.com/trustify-da/SaaSi/deployer

go 1.19

require (
        github.com/davecgh/go-spew v1.1.1 // indirect exhortignore
        github.com/emicklei/go-restful/v3 v3.9.0 // indirect
        github.com/go-logr/logr v1.2.3 // indirect //exhortignore

)
...
      Copy to Clipboard Toggle word wrap

    • For Python, update the requirements.txt file: 

      ...
click==8.0.4 #exhortignore
...
      Copy to Clipboard Toggle word wrap

    • For Gradle, update the build.gradle file: 

      plugins {
id 'java'
}

group = 'groupName'
version = 'version'

repositories {
    mavenCentral()
}

dependencies {
    implementation "groupId:artifactId:version" // exhortignore
}
test {
    useJUnitPlatform()
}
      Copy to Clipboard Toggle word wrap

Legal Notice
リンクのコピー

Copyright © Red Hat.
Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.
The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。 最新の更新を見る.

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

Theme

© 2026 Red Hatトップに戻る